IIS6 & ASP: accessing network files with FSO fails

On Mon, 21 Mar 2005 04:18:23 +0100, "Thomas" <me@alternize.com> wrote:

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject") .GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even, for
testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within the
iis6, i can browse the remote files with my webbrowser - but the asp code
still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to run
the web as a domain user with sufficient rights -- this is what i'm doing,
but it just won't work!

You post lots of details, but you left out the most important one --
Just exactly what does "fails" and "won't work" mean?

Jeff

basically, everything in ASP that incorporates FSO accessing remote UNC
paths fails - reading folders, files and writing to them fails. even a
FileExists check fails:

oFSO.FileExists("\\server2\myshare\myfile.txt") returns always false -
eventhough i can access the file directly (i.e. not using oFSO).

i dont think its a problem with my code, as it works perfeclty for local
files - even when i access them through their local UNC path (i.e.
"\\server1\d$\justatest.txt")

so: any function trying to read/write/access remote files through an unc
path within ASP results in a "permission denied" or "file not found"
runtime error.

- thomas

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
considered trying a mapped drive letter instead of the direct UNC share?
On 3/21/05 6:55 AM, in article OR**************@tk2msftngp13.phx.gbl,
"thomas h" <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

> Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you

considered trying a mapped drive letter instead of the direct UNC share?
maped drives are only valid for logged-on users - which is not the case for
services (i.e. www).
i don't see why IWAM_... could be involved, as the application pool
explicitely specifies a (domain user) identity...

- thomas
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE643462.4160%te*****@dnartreb.noraa... Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
considered trying a mapped drive letter instead of the direct UNC share?
On 3/21/05 6:55 AM, in article OR**************@tk2msftngp13.phx.gbl,
"thomas h" <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

> maped drives are only valid for logged-on users - which is not the case
for

services (i.e. www).
i don't see why IWAM_... could be involved, as the application pool
explicitely specifies a (domain user) identity...

Just throwing out ideas. Tough to troubleshoot when we can't see the box.
<shrug>

On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).
Normally IUSR/IWAM or the logged in user account. This is ASP and not
..NET correct? Have you tried giving the network account access?

Jeff
as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me... ;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

thomas

"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
.NET correct? Have you tried giving the network account access?

Jeff

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com> wrote:

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me... ;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.
With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
.NET correct? Have you tried giving the network account access?

Jeff

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

> With Windows integrated authentication, the connection should be the

account of the logged in user. Unless your user isn't getting logged
in correctly.
i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off. once i turn it on and
supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com... On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com> wrote:

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
.NET correct? Have you tried giving the network account access?

Jeff

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <me@alternize.com> wrote:

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.
i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff
once i turn it on andsupply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com> wrote:

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it seems to
work when enabling anonymous access to the web. i KNOW asp.net runs within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i don't
want to) give iusr or iwam access to the network shares. this would other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com.. .
On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:

>interesting point:
>
>the web does not allow anonymous access.
>
>when i enable anonymous access and put in the domain account as user, my
>script works. so obviously asp is not running in the web application
>pool, but under a different user context (which one??) when anonymous
>access is disabled.
>
>the users logging in are domain users with full rights to the network -
>so iis/asp does not seem to impersonate them either.
>
>so the question comes down to: what user is my asp script running in
>(obviously not the one from my app pool) when i disable anonymous
>access? the web's w3wp.exe is running as the app pool user (my domain
>account).

Normally IUSR/IWAM or the logged in user account. This is ASP and not
.NET correct? Have you tried giving the network account access?

Jeff

>as a workaround i could just enable anonymous access and then check on
>script basis if the user is logged in. but i somehow feel that this is
>not how it should work. ;-)
>
>*** Sent via Developersdex http://www.developersdex.com ***
>Don't just participate in USENET...get rewarded for it!

> security zone) then you should have access. If not, you're not using

the account you think you are.
i did this test and it works just fine - i can login with the domain account
and browse the website. but i cannot access the remote files - the eventlog
still shows the same results. :-(
Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.
already tried this. there is no activity on the files in question. i guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com... On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <me@alternize.com> wrote:

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

i can assure you i'm logged in correctly. and as domain admin i also have
enough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlog
entries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff
once i turn it on and

supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com> wrote:

this is pure asp, yep.

if you're right, this would imply asp scripts not being executed
in-process
within the web. i somehow can't believe this... especially as it seems
to
work when enabling anonymous access to the web. i KNOW asp.net runs
within
the web application pool process and its identity. not having the same
possibility for classic asp looks like a bug or design failure to me...
;-(

also, asp not using the "connect as" identity when accessing unc virtual
folders does not make any sense. i just can not (well, i can, but i
don't
want to) give iusr or iwam access to the network shares. this would
other
webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff


"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com. ..
> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:
>
>>interesting point:
>>
>>the web does not allow anonymous access.
>>
>>when i enable anonymous access and put in the domain account as user,
>>my
>>script works. so obviously asp is not running in the web application
>>pool, but under a different user context (which one??) when anonymous
>>access is disabled.
>>
>>the users logging in are domain users with full rights to the
>>network -
>>so iis/asp does not seem to impersonate them either.
>>
>>so the question comes down to: what user is my asp script running in
>>(obviously not the one from my app pool) when i disable anonymous
>>access? the web's w3wp.exe is running as the app pool user (my domain
>>account).
>
> Normally IUSR/IWAM or the logged in user account. This is ASP and not
> .NET correct? Have you tried giving the network account access?
>
> Jeff
>
>>as a workaround i could just enable anonymous access and then check on
>>script basis if the user is logged in. but i somehow feel that this is
>>not how it should work. ;-)
>>
>>*** Sent via Developersdex http://www.developersdex.com ***
>>Don't just participate in USENET...get rewarded for it!
>

Aaron Bertrand
99 Kingstown Rd
Richmond, RI
02898

Thanks again!

A

Umm, whoops, hit reply in the wrong place. Everyone please disregard that
address, and go about your business. :-)

Anyway, I'm still not convinced that you are authenticating the way you
think you are when IIS tries to access the other machine. Are you abslutely
positive that anonymous access is disabled? Are you prompted to enter
network credentials, or does this happen transparently (in other words, you
assume you are authenticating correctly)?

You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.

A

"Thomas" <me@alternize.com> wrote in message
news:uN**************@TK2MSFTNGP14.phx.gbl...

security zone) then you should have access. If not, you're not using
the account you think you are.
i did this test and it works just fine - i can login with the domain

account and browse the website. but i cannot access the remote files - the eventlog still shows the same results. :-(

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

already tried this. there is no activity on the files in question. i guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <me@alternize.com> wrote:

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

i can assure you i'm logged in correctly. and as domain admin i also haveenough rights to access any share or file within the network.

when anonymous access on the web is disabled, i get the following eventlogentries on server2 (where the asp tries to access the files):

ID 538:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF44FFC)
Logon Type: 3

this only happens when anonymous access is turned off.

This seems to indicate you're not passing credentials and logging in
as the account you say you're logged in as.

Try creating a simple HTML file on the web server. Using NTFS
permissions, only allow access to a single user account. Log onto a
workstation with this account and see if you can access the HTML file.
No second server connection involved here. As long as IE is passing
credentials for the server/domain (the domain is in the intranet
security zone) then you should have access. If not, you're not using
the account you think you are.

Also, try using filemon on server 2 to see what account is trying to
access the file. From systernals.com.

Jeff
once i turn it on and

supply the user information in the iis management console, i get these
entries in the eventlog:

ID 540:
Successful Network Logon:
User Name: iistest
Domain: DOM
Logon ID: (0x0,0xF640E0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TATOOINE

when having anon disabled, i only get logoff event log entries (ID 538),
whereas with anon enabled i get the successfull logons (ID 540). in the
web's directory security tab, i have [x] windows authentication enabled.
this is doing my head in ;-(

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...
On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com> wrote:

>this is pure asp, yep.
>
>if you're right, this would imply asp scripts not being executed
>in-process
>within the web. i somehow can't believe this... especially as it seems
>to
>work when enabling anonymous access to the web. i KNOW asp.net runs
>within
>the web application pool process and its identity. not having the same
>possibility for classic asp looks like a bug or design failure to me...>;-(
>
>also, asp not using the "connect as" identity when accessing unc virtual>folders does not make any sense. i just can not (well, i can, but i
>don't
>want to) give iusr or iwam access to the network shares. this would
>other
>webs allow to read & write there as well - intolerable.

With Windows integrated authentication, the connection should be the
account of the logged in user. Unless your user isn't getting logged
in correctly.

Jeff

>
>"Jeff Cochran" <je*********@zina.com> wrote in message
>news:42***************@msnews.microsoft.com. ..
>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote:>>
>>>interesting point:
>>>
>>>the web does not allow anonymous access.
>>>
>>>when i enable anonymous access and put in the domain account as user,>>>my
>>>script works. so obviously asp is not running in the web application
>>>pool, but under a different user context (which one??) when anonymous>>>access is disabled.
>>>
>>>the users logging in are domain users with full rights to the
>>>network -
>>>so iis/asp does not seem to impersonate them either.
>>>
>>>so the question comes down to: what user is my asp script running in
>>>(obviously not the one from my app pool) when i disable anonymous
>>>access? the web's w3wp.exe is running as the app pool user (my domain>>>account).
>>
>> Normally IUSR/IWAM or the logged in user account. This is ASP and not>> .NET correct? Have you tried giving the network account access?
>>
>> Jeff
>>
>>>as a workaround i could just enable anonymous access and then check on>>>script basis if the user is logged in. but i somehow feel that this is>>>not how it should work. ;-)
>>>
>>>*** Sent via Developersdex http://www.developersdex.com ***
>>>Don't just participate in USENET...get rewarded for it!
>>
>

(Where's the damned recall feature.)


"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:e7**************@tk2msftngp13.phx.gbl...

Aaron Bertrand

> Anyway, I'm still not convinced that you are authenticating the way you

think you are when IIS tries to access the other machine. Are you
abslutely
positive that anonymous access is disabled?
well. "[ ] enable anonmyous access" is unchecked. and i'm prompted for login
credentials when browsing the website.
Are you prompted to enter
network credentials, or does this happen transparently (in other words,
you
assume you are authenticating correctly)?
100% - i am prompted for password and stuff ;-)
also i can see on the domain server my login events.
You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.
created user IUSR_TATOOINE on server2. no luck:

Microsoft VBScript runtime error '800a0046'
Permission denied

eventlog on server2 still shows:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x10FB1B4)
Logon Type: 3

- thomas

"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl... Umm, whoops, hit reply in the wrong place. Everyone please disregard that
address, and go about your business. :-)

Anyway, I'm still not convinced that you are authenticating the way you
think you are when IIS tries to access the other machine. Are you
abslutely
positive that anonymous access is disabled? Are you prompted to enter
network credentials, or does this happen transparently (in other words,
you
assume you are authenticating correctly)?

You say that you gave "Everyone" full access on Server2. Well, this only
includes accounts that Server2 knows about. Humor us and add an explicit
local username IUSR_Server1 and synchronize the password with the IUSR
account on Server1.

A

"Thomas" <me@alternize.com> wrote in message
news:uN**************@TK2MSFTNGP14.phx.gbl...

> security zone) then you should have access. If not, you're not using
> the account you think you are.

i did this test and it works just fine - i can login with the domain

account

and browse the website. but i cannot access the remote files - the

eventlog

still shows the same results. :-(

> Also, try using filemon on server 2 to see what account is trying to
> access the file. From systernals.com.

already tried this. there is no activity on the files in question. i
guess
asp therefore can not even access the share (which is configured to give
Everyone full access).

- thomas
"Jeff Cochran" <je*********@zina.com> wrote in message
news:42***************@msnews.microsoft.com...

> On Mon, 21 Mar 2005 20:51:43 +0100, "Thomas" <me@alternize.com> wrote:
>
>>> With Windows integrated authentication, the connection should be the
>>> account of the logged in user. Unless your user isn't getting logged
>>> in correctly.
>>
>>i can assure you i'm logged in correctly. and as domain admin i also have >>enough rights to access any share or file within the network.
>>
>>when anonymous access on the web is disabled, i get the following eventlog >>entries on server2 (where the asp tries to access the files):
>>
>>ID 538:
>>User Logoff:
>> User Name: ANONYMOUS LOGON
>> Domain: NT AUTHORITY
>> Logon ID: (0x0,0xF44FFC)
>> Logon Type: 3
>>
>>this only happens when anonymous access is turned off.
>
> This seems to indicate you're not passing credentials and logging in
> as the account you say you're logged in as.
>
> Try creating a simple HTML file on the web server. Using NTFS
> permissions, only allow access to a single user account. Log onto a
> workstation with this account and see if you can access the HTML file.
> No second server connection involved here. As long as IE is passing
> credentials for the server/domain (the domain is in the intranet
> security zone) then you should have access. If not, you're not using
> the account you think you are.
>
> Also, try using filemon on server 2 to see what account is trying to
> access the file. From systernals.com.
>
> Jeff
>
>
> once i turn it on and
>>supply the user information in the iis management console, i get these
>>entries in the eventlog:
>>
>>ID 540:
>>Successful Network Logon:
>> User Name: iistest
>> Domain: DOM
>> Logon ID: (0x0,0xF640E0)
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Workstation Name: TATOOINE
>>
>>when having anon disabled, i only get logoff event log entries (ID
>>538),
>>whereas with anon enabled i get the successfull logons (ID 540). in the
>>web's directory security tab, i have [x] windows authentication
>>enabled.
>>this is doing my head in ;-(
>>
>>- thomas
>>
>>
>>"Jeff Cochran" <je*********@zina.com> wrote in message
>>news:42***************@msnews.microsoft.com...
>>> On Mon, 21 Mar 2005 16:03:34 +0100, "Thomas" <me@alternize.com>
>>> wrote:
>>>
>>>>this is pure asp, yep.
>>>>
>>>>if you're right, this would imply asp scripts not being executed
>>>>in-process
>>>>within the web. i somehow can't believe this... especially as it
>>>>seems
>>>>to
>>>>work when enabling anonymous access to the web. i KNOW asp.net runs
>>>>within
>>>>the web application pool process and its identity. not having the
>>>>same
>>>>possibility for classic asp looks like a bug or design failure to me... >>>>;-(
>>>>
>>>>also, asp not using the "connect as" identity when accessing unc virtual >>>>folders does not make any sense. i just can not (well, i can, but i
>>>>don't
>>>>want to) give iusr or iwam access to the network shares. this would
>>>>other
>>>>webs allow to read & write there as well - intolerable.
>>>
>>> With Windows integrated authentication, the connection should be the
>>> account of the logged in user. Unless your user isn't getting logged
>>> in correctly.
>>>
>>> Jeff
>>>
>>>
>>>
>>>>
>>>>"Jeff Cochran" <je*********@zina.com> wrote in message
>>>>news:42***************@msnews.microsoft.com. ..
>>>>> On Mon, 21 Mar 2005 03:55:45 -0800, thomas h <me@alternize.com> wrote: >>>>>
>>>>>>interesting point:
>>>>>>
>>>>>>the web does not allow anonymous access.
>>>>>>
>>>>>>when i enable anonymous access and put in the domain account as user, >>>>>>my
>>>>>>script works. so obviously asp is not running in the web
>>>>>>application
>>>>>>pool, but under a different user context (which one??) when anonymous >>>>>>access is disabled.
>>>>>>
>>>>>>the users logging in are domain users with full rights to the
>>>>>>network -
>>>>>>so iis/asp does not seem to impersonate them either.
>>>>>>
>>>>>>so the question comes down to: what user is my asp script running
>>>>>>in
>>>>>>(obviously not the one from my app pool) when i disable anonymous
>>>>>>access? the web's w3wp.exe is running as the app pool user (my domain >>>>>>account).
>>>>>
>>>>> Normally IUSR/IWAM or the logged in user account. This is ASP and not >>>>> .NET correct? Have you tried giving the network account access?
>>>>>
>>>>> Jeff
>>>>>
>>>>>>as a workaround i could just enable anonymous access and then check on >>>>>>script basis if the user is logged in. but i somehow feel that this is >>>>>>not how it should work. ;-)
>>>>>>
>>>>>>*** Sent via Developersdex http://www.developersdex.com ***
>>>>>>Don't just participate in USENET...get rewarded for it!
>>>>>
>>>>
>>>
>>
>

> created user IUSR_TATOOINE on server2. no luck:

Does it have the same password as IUSR on the machine tatooine?

User Name: ANONYMOUS LOGON

AHA! See, your credentials are not being passed. This means that this page
is really not authenticating as you. What does this yield:

Response.Write Request.ServerVariables("LOGON_USER")

A

> Does it have the same password as IUSR on the machine tatooine?

yep

AHA! See, your credentials are not being passed. This means that this
page
is really not authenticating as you. What does this yield:

Response.Write Request.ServerVariables("LOGON_USER")

DOM\iistest

my test account with admin rights. the credentials are passed. but that does
unfortunately not proof asp is actually running in this context. if it
would, it could access the files as the account is a domain admin (and yes,
it does have the group policy set "allow logon as service")...

- thomas

> my test account with admin rights. the credentials are passed.

Sorry, but you're going to have to hire a consultant to help you figure this
out, or change your approach. (You mentioned before that it was a cardinal
sin to allow anonymous access to these shares for all your webs, but that is
still limited to the code you place in the folders of your web
applications - in other words, you are in control over what your ASP code
does using Scripting.FileSystemObject... unless you are afraid of what
people can do when they have access to the file system directly, in which
case this is the least of your worries, and if they don't have direct access
to the web server, e.g. with term server, they would have to guess your
share name exists AND that IUSR can access it. Anyway, a file share that is
accessible to one web site on a machine inside your network shouldn't really
have anything on it that is too sensitive for other web apps on the same
machine to have access to it.)

We keep telling you your credentials aren't passed, and you keep insisting
that they are, even though you admit that the ASP page isn't using them.

I give up. <shrug>

A

On Mon, 21 Mar 2005 22:21:46 +0100, "Thomas" <me@alternize.com> wrote:

Does it have the same password as IUSR on the machine tatooine?

yep

AHA! See, your credentials are not being passed. This means that this
page
is really not authenticating as you. What does this yield:

Response.Write Request.ServerVariables("LOGON_USER")

DOM\iistest

my test account with admin rights. the credentials are passed. but that does
unfortunately not proof asp is actually running in this context. if it
would, it could access the files as the account is a domain admin (and yes,
it does have the group policy set "allow logon as service")...

You're logging into server 1 fine, there's still something goofy about
permissions to the second server though. IISTest is a domain user,
correct? And it has permissions on server 2 for the
files/folders/share in question, correct? And remember, "Everyone: is
just a group. It isn't necessarily every account on the system.

This is using a UNC convention for the virtual directory pointing to
server 2's share, correct? As in \\server2\sharename? If you log
onto server 1 as the user, can they connect to the share with a NET
USE or just browsing in Windows Explorer?

I gotta say there's something we're missing here. This just isn't
that hard to do. Make sure you're hitting all the steps:

HOW TO: Create a Virtual Directory on an Existing Web Site to a Folder
That Resides on a Remote Computer:
http://support.microsoft.com/default...b;en-us;308150

Jeff

> Sorry, but you're going to have to hire a consultant to help you figure

this
out, or change your approach.
*cough*cough* i'm one of those consultants ;-)
(You mentioned before that it was a cardinal
sin to allow anonymous access to these shares for all your webs
no, the shares are not the problem, they are firewalled. the problem is the
web itself cannot be given anonymous access. if i could give it anonymous
access, i could specify the anon user and everything works. but this web
contains sensitive data that has to be protected. but once anon access is
turned off, the asp scripts stop working.
We keep telling you your credentials aren't passed, and you keep insisting
that they are, even though you admit that the ASP page isn't using them.
thats exactly my point! the asp engine is falsely NOT using the credentials
even if it should. it is obviously running in a security context that has no
access to the network files.
give up. <shrug>

thanks for trying. ;-)

- thomas

> *cough*cough* i'm one of those consultants ;-)

Whoops. Better get another book. :-)

no, the shares are not the problem, they are firewalled. the problem is the web itself cannot be given anonymous access. if i could give it anonymous
access, i could specify the anon user and everything works. but this web
contains sensitive data that has to be protected.

Then have a job move/copy the stuff that this web needs to access to a place
that isn't so sensitive!

A

> You're logging into server 1 fine, there's still something goofy about

permissions to the second server though. IISTest is a domain user, correct? yes it is. currently belonging to Domain Administrator
And it has permissions on server 2 for the files/folders/share in
question, correct? yes. the folders & files have explicite rights "Full Control" for this
domain user
yes. share has explicit rights "read" and "write" for this user.
This is using a UNC convention for the virtual directory pointing to
server 2's share, correct? As in \\server2\sharename? \\10.1.1.2\dns$\dns.log
If you log onto server 1 as the user, can they connect to the share
with a NET USE or just browsing in Windows Explorer?
both works fine.
I gotta say there's something we're missing here. This just isn't
that hard to do. Make sure you're hitting all the steps:
i thought so too. but so far i haven't found the missing step.
HOW TO: Create a Virtual Directory on an Existing Web Site to a Folder
That Resides on a Remote Computer:
http://support.microsoft.com/default...b;en-us;308150

i followed this kb entry. i can successfully *browse* the files in internet
explorer through this vf (by directly specify the url). but as soon as i use
an asp script that reads from this virtual directory, i'm hitting the
annoying "permission denied" stuff again.

i really think there is a (design?) fault with credentials when the web has
no anonymous user. i can't find another pausible explanation...

- thomas

> Then have a job move/copy the stuff that this web needs to access to a

place
that isn't so sensitive!

true, or i could just use apache... ;-)

i know there are workarounds for the problem. the simplest would be to just
allow anon access in iis and then force authentication in the asp files. but
somehow i think my problem should be solvable... i can't be the only person
that tries to access remote files through an asp script within a secured
website...

- thomas

> true, or i could just use apache... ;-)

Why don't you? Seriously, if you can't solve the problem and you can't work
around it, you should at least offer the client SOME solution.

somehow i think my problem should be solvable... i can't be the only person
that tries to access remote files through an asp script within a secured
website...

No, I have done this in multiple environments, so there's something not
getting relayed correctly, or there's something involved that you're just
not aware of.

Again, without being able to SEE the environment and verify what you've told
us, I'm unconvinced that everything is as you say it is, and I'm still
giving up.

"Thomas" <me@alternize.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

after spending countless hours trying, i give up and hope to get some help
in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject"). GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even,
for testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within
the iis6, i can browse the remote files with my webbrowser - but the asp
code still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to
run the web as a domain user with sufficient rights -- this is what i'm
doing, but it just won't work!

any help is greatly appreciated!
- thomas

I suspect you may be encountering the double-hop authentication issue.
Basically, NTLM does not support double-hop authentication because it only
ever deals with a hash of your authentication info. A quick way to see if
this is a double-hop issue is to disable NTLM and enable basic
authentication. Basic authentication will work because the actual
username/password get sent.

IMPORTANT! Basic authentication by itself is not a secure methodology as the
authentication info is sent in clear text across the wire.

As such you have to options:
1. Use basic authentication wrapped in SSL

OR

2. Enable keberos delegation. Here's a white paper on the topic.
http://www.microsoft.com/technet/pro.../tkerbdel.mspx

YES!

you're right. having only basic authentication enabled solved my problem.
the asp scripts work as they should! i wasn't aware that basic
authentication would work without ntlm.
the securtity aspect of using basic authentication only is already solved by
having everying in a secure vpn.

thanks very much - now i can sleep in peace again ;-)

- thomas
"Chris Hohmann" <no****@thankyou.com> wrote in message
news:ez**************@TK2MSFTNGP10.phx.gbl...

"Thomas" <me@alternize.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

after spending countless hours trying, i give up and hope to get some
help in here.

on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm
trying to read a file from an UNC path with a FSO:
Set myFile =
Server.CreateObject("Scripting.FileSystemObject"). GetFile("\\server2\myshare\myfile.txt")
this fails with an Permission Denied.

here's the deal:
- server1 & server2 are members of a domain
- iis6 is used with asp (not .net)
- myweb.com runs in the context of a domain user (my admin account even,
for testing purposes)
- the unc share has full rights to Everyone
- the file permissions on server2 are set to full rights to Everyone
- i can successfully read the file *with the same code* in a test.vbs
- if i set up a virtual folder to the unc path using "connect as" within
the iis6, i can browse the remote files with my webbrowser - but the asp
code still fails.

this is driving me crazy. all howtos, posts and pages i found tell me to
run the web as a domain user with sufficient rights -- this is what i'm
doing, but it just won't work!

any help is greatly appreciated!
- thomas

I suspect you may be encountering the double-hop authentication issue.
Basically, NTLM does not support double-hop authentication because it only
ever deals with a hash of your authentication info. A quick way to see if
this is a double-hop issue is to disable NTLM and enable basic
authentication. Basic authentication will work because the actual
username/password get sent.

IMPORTANT! Basic authentication by itself is not a secure methodology as
the authentication info is sent in clear text across the wire.

As such you have to options:
1. Use basic authentication wrapped in SSL

OR

2. Enable keberos delegation. Here's a white paper on the topic.
http://www.microsoft.com/technet/pro.../tkerbdel.mspx

unchecking "[ ] integrated windows authentication" did the job. thanks
everyone for helping me here, especially chris hohmann for pointing out the
"double-hop authentication issue"!

- thomas
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE64D038.42A7%te*****@dnartreb.noraa...

true, or i could just use apache... ;-)

Why don't you? Seriously, if you can't solve the problem and you can't
work
around it, you should at least offer the client SOME solution.

somehow i think my problem should be solvable... i can't be the only
person
that tries to access remote files through an asp script within a secured
website...

No, I have done this in multiple environments, so there's something not
getting relayed correctly, or there's something involved that you're just
not aware of.

Again, without being able to SEE the environment and verify what you've
told
us, I'm unconvinced that everything is as you say it is, and I'm still
giving up.

Good catch Chris. You should ask for a chunk of his consulting fees.

I suspect you may be encountering the double-hop authentication issue.
Basically, NTLM does not support double-hop authentication because it only
ever deals with a hash of your authentication info. A quick way to see if
this is a double-hop issue is to disable NTLM and enable basic
authentication. Basic authentication will work because the actual
username/password get sent.

IMPORTANT! Basic authentication by itself is not a secure methodology as the
authentication info is sent in clear text across the wire.

As such you have to options:
1. Use basic authentication wrapped in SSL

OR

2. Enable keberos delegation. Here's a white paper on the topic.
http://www.microsoft.com/technet/pro...echnologies/se
curity/tkerbdel.mspx

"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE64D850.42BC%te*****@dnartreb.noraa...

Good catch Chris. You should ask for a chunk of his consulting fees.

Thomas should feel free to direct all consulting fees here:
http://aspfaq.com/donate.asp

;-)

Nice. :-)
On 3/21/05 8:47 PM, in article ux**************@TK2MSFTNGP10.phx.gbl, "Chris
Hohmann" <no****@thankyou.com> wrote:

"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE64D850.42BC%te*****@dnartreb.noraa...

Good catch Chris. You should ask for a chunk of his consulting fees.

Thomas should feel free to direct all consulting fees here:
http://aspfaq.com/donate.asp

;-)

unfortunately i'm not hired at the moment, the problem came up in one of my
countless personal projects. nevertheless i'll trow in a little something,
after having paid my psychiatrist... after this session i need some
professional support...

j/k

- thomas
"Chris Hohmann" <no****@thankyou.com> wrote in message
news:ux**************@TK2MSFTNGP10.phx.gbl...

"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE64D850.42BC%te*****@dnartreb.noraa...

Good catch Chris. You should ask for a chunk of his consulting fees.

Thomas should feel free to direct all consulting fees here:
http://aspfaq.com/donate.asp

;-)

it's always recommended to use UNC rather than mapped drive.
Using Mapped Drives with IIS
http://support.microsoft.com/?id=257174

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:BE643462.4160%te*****@dnartreb.noraa...

Maybe IWAM_MachineName is involved here, not IUSR_MachineName. Have you
considered trying a mapped drive letter instead of the direct UNC share?
On 3/21/05 6:55 AM, in article OR**************@tk2msftngp13.phx.gbl,
"thomas h" <me@alternize.com> wrote:

interesting point:

the web does not allow anonymous access.

when i enable anonymous access and put in the domain account as user, my
script works. so obviously asp is not running in the web application
pool, but under a different user context (which one??) when anonymous
access is disabled.

the users logging in are domain users with full rights to the network -
so iis/asp does not seem to impersonate them either.

so the question comes down to: what user is my asp script running in
(obviously not the one from my app pool) when i disable anonymous
access? the web's w3wp.exe is running as the app pool user (my domain
account).

as a workaround i could just enable anonymous access and then check on
script basis if the user is logged in. but i somehow feel that this is
not how it should work. ;-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Thanks Bernard. As I said, I was just throwing out ideas to help diagnose
the problem, not recommending a solution.
On 3/21/05 9:13 PM, in article Om**************@tk2msftngp13.phx.gbl,
"Bernard" <qb******@hotmail.com.discuss> wrote:

it's always recommended to use UNC rather than mapped drive.
Using Mapped Drives with IIS
http://support.microsoft.com/?id=257174

Thomas wrote:

YES!

you're right. having only basic authentication enabled solved my
problem. the asp scripts work as they should! i wasn't aware that basic
authentication would work without ntlm.
the securtity aspect of using basic authentication only is already
solved by having everying in a secure vpn.

Everyone thinks that, but they fail to consider that a large percentage of
hacks are perpetrated by disgruntled employees and ex-employees. There is
also the "social engineering" aspect to watch out for (see Google).

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

true. but as only 2 persons (besides me) have access to that vpn, i would
notice someone going astray ;-)

my security concerns are more on outsiders (e.g. web owners with their webs
on the same machine as the one in question) might want to try to sneak
things out. if i had to give IUSR_ share access, that could IMO have been
quite easily done by a malicous user.

- thomas
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:uG**************@tk2msftngp13.phx.gbl...

Thomas wrote:

YES!

you're right. having only basic authentication enabled solved my
problem. the asp scripts work as they should! i wasn't aware that basic
authentication would work without ntlm.
the securtity aspect of using basic authentication only is already
solved by having everying in a secure vpn.

Everyone thinks that, but they fail to consider that a large percentage of
hacks are perpetrated by disgruntled employees and ex-employees. There is
also the "social engineering" aspect to watch out for (see Google).

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"